-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs/

Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability



1. *Advisory Information*

Title: Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
Advisory Id: CORE-2009-1103
Advisory URL: http://www.coresecurity.com/content/CORE-2009-1103
Date published: 2010-03-09
Date of last update: 2010-03-09
Vendors contacted: Microsoft
Release mode: Coordinated release



2. *Vulnerability Information*

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0264



3. *Vulnerability Description*

A memory corruption occurs on Microsoft Office Excel 2002 when parsing a
.XLS file with a malformed DbOrParamQry record. This vulnerability could
be used by a remote attacker to execute arbitrary code in the context of
the currently logged on user, by enticing the user to open a specially
crafted file.


4. *Vulnerable packages*

   . Microsoft Excel 2002 (Office XP SP3)


5. *Non-vulnerable packages*

   . Microsoft Office 2003
   . Microsoft Office 2007


6. *Vendor Information, Solutions and Workarounds*

Microsoft has addressed this vulnerability by issuing an update located
at http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx


7. *Credits*

This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies.


8. *Technical Description / Proof of Concept Code*

A memory corruption occurs on Microsoft Office Excel 2002 when parsing a
.XLS file with a malformed DbOrParamQry record. The precise affected
executable versions that we tested are:

   . EXCEL.exe version 10.0.6501
   . EXCEL.exe version 10.0.6854
   . EXCEL.exe version 10.0.6856

 The vulnerable version is Microsoft Office Excel XP SP3.

According to the MSDN documentation [2] the DbOrParamQry record
specifies a DbQuery or ParamQry record depending on the preceding
record. The Record Query Parameters (ParamQry) offset DCh, contains
information about ODBC parameterized queries. This record has the
following format:


/-----
Offset  Name    Size  Contents
4      wTypeSql  2    Used for ODBC queries; the parameter SQL type
6      flags     2    Option flags

- -----/

By modifying this record an exploitable condition can be triggered. An
excerpt of the vulnerable code follows:


/-----
EXCEL!Ordinal41+2c20ce:
302c20ce 8b461c           mov     eax,[esi+0x1c]
ds:0023:0180aa98=0197013c
302c20d1 85c0             test    eax,eax
302c20d3 0f84e1000000     je      EXCEL!Ordinal41+0x2c21ba (302c21ba)
[br=0]
302c20d9 8b08             mov     ecx,[eax]
ds:0023:0197013c=00010001
302c20db 50               push    eax
302c20dc ff5108           call  dword ptr [ecx+0x8]
ds:0023:00010009=5c003a00

Access violation - code c0000005 (first chance)
eax=0197013c ebx=00000001 ecx=00010001 edx=0000014c esi=0180aa7c
edi=00000000
eip=5c003a00 esp=001363ec ebp=00136400 iopl=0         nv up ei pl nz na
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000206
5c003a00 ??               ???

- -----/


9. *Report Timeline*

. 2009-11-04:
Core Security Technologies notifies the Microsoft team of the
vulnerability and sends a Proof of Concept malformed file. Planned
publication date is set to February 9th 2010.

. 2009-11-04:
Microsoft acknowledges receipt of the report, and opens case 9564 to
track this issue.

. 2009-11-19:
Microsoft confirms that the reported bug is exploitable on Office 2002,
and that it is a bulletin class issue. Microsoft analysis indicates that
Office 2003 and Office 2007 are not affected by this vulnerability.
Microsoft estimates that its projected release date will be later than
February.

. 2009-11-19:
Core replies that it needs additional information about Microsoft fix
development and testing process, in particular a concrete estimated date
for the release of fixes, before rescheduling publication.

. 2009-12-18:
Microsoft communicates that the Office Excel Team has scheduled a fix
for this issue for March 9th 2010, and requests that Core reschedules
publication of its advisory to that date.

. 2009-12-21:
Core agrees to reschedule publication to March 9th 2010, and tells
Microsoft that it's still waiting for their technical analysis of the bug.

. 2010-01-28:
Microsoft informs Core that it is still on track to release the patch
for this vulnerability in March 2009.

. 2010-02-18:
Microsoft informs Core that unexpected issues will force them to
postpone the bulletin release from March, and that they will try to
release it in April 2010.

. 2010-03-02:
Microsoft tells Core that finally the patch for this issue will be
released on March 9th 2010.

. 2010-03-08:
Core acknowledges receipt of the previous mail, and requests the URL of
Microsoft's security bulletin to include in the vendor information
section of its advisory.

. 2010-03-09:
The advisory CORE-2009-1103 is published.



10. *References*

[1] Microsoft Security Bulletin MS10-017
http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
[2] MSDN DbOrParamQry entry
http://msdn.microsoft.com/en-us/library/dd953289.aspx


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuWvzgACgkQyNibggitWa3sgQCfW9M7pPRWJ82ytbaY0V8rJh6W
3/4AmwQbyIyX8Lg2FPDrzetOCkgybb35
=HNzF
-----END PGP SIGNATURE-----